Академический Документы
Профессиональный Документы
Культура Документы
This document is a study note on IP services in ICND2 and everything in this document are
strictly within the study guides. A few extra topics discussed only for the clarity of the
subject. I have tried my best to be very clear on the topics discussed. I believe this study
note will help you a lot in your studies for ICND2 exam.
CHAPTER 1
SNMP
What is SNMP?
Simple Network Management Protocol (SNMP) is an applicationlayer protocol defined by
the Internet Architecture Board (IAB) for exchanging management information between
network devices. It is a part of Transmission Control ProtocolInternet Protocol (TCPIP)
protocol suite. Devices that typically support SNMP include routers, switches, servers,
workstations, printers, modem racks.
In typical SNMP uses, one or more administrative computers, called managers, have the
task of monitoring or managing a group of hosts or devices on a computer network. Each
managed system executes, at all times, a software component called an agent which
reports information via SNMP to the manager. SNMP communicates management
information between the network management stations and the agents in the network
elements.
Some examples of the type of information that can be retrieved through snmp are :
System up time
CPU usage level
Disk usage level
Network settings etc.
Not only information can be retrieved but also these network devices can be configured
with new values through snmp.
SNMP Communities
SNMP Agent:
The agent is a program that is packaged within the managed devices. Enabling the agent
allows it to collect the management information database from the device locally and
makes it available to the SNMP manager, when it is queried for. These agents could be
standard (e.g. Net-SNMP) or specific to a vendor (e.g. HP insight agent). In cisco routers
and switches it is not required to install any agent software.
SNMP agents key functions
Collects management information about its local environment
Stores and retrieves management information as defined in the MIB.
Signals an event to the manager.
Acts as a proxy for some nonSNMP manageable network node.
Replies to the NMS query
change the MIB variable when requested by NMS
Every object in MIB is MIB variable which is denoted by OID. MIB variable and OID are
interchangeably used. The MIB variables contain pertinent management information like
interface up/down, 90% cpu used, etc.
SNMP Messages
GET: This message is a request sent by the manager to the managed device. It is
performed to retrieve one or more values from the managed device.
GET-NEXT: This message is similar to the GET. The significant difference is that the GET
NEXT operation retrieves the value of the next OID in the MIB tree.
GET-BULK: This message initiated by manager to retrieve voluminous data from large
MIB table. It is supported only in snmpv2, v3.
SET: This message is used by the managers to modify or assign the value of the
Managed device.
TRAPS: Unlike the above messages which are initiated from the SNMP Manager, TRAPS
are initiated by the Agents. It is a signal to the SNMP Manager by the Agent on the
occurrence of an event.
INFORM: This message is send by manager to agent to acknowledge the TRAP message
received from agent since they use UDP and it is introduced in SNMPv2.
RESPONSE: It is the reply message of agent to GET, GET NEXT, GET BULK, SET
messages initiated by SNMP Manager.
SNMP Communities
An SNMP community is the group that devices and management stations running SNMP
belong to. It helps define where information is sent. The community name is used to
identify the group. A SNMP device or agent may belong to more than one SNMP
community. It will not respond to requests from management stations that do not belong to
one of its communities. To enable successful communication between an SNMP agent and
an SNMP manager, you must configure at least one community name in SNMP. A
community name acts as a password that is shared, typically, by multiple SNMP agents
and one or more SNMP managers. An SNMP agent only accepts requests from SNMP
managers that are on the agents list of acceptable community names.
SNMP community strings authenticate access to MIB objects and function as embedded
passwords. In order for the NMS to access the agent, the community string definitions on
the NMS must match at least one of the three community string definitions on the agent.
A community string can have one of these attributes:
Versions in SNMP
SNMPv1 supports plaintext authentication with community strings and uses only UDP. The
UDP port 161 is used by default and TRAP/INFORM uses port 162.
SNMPv2 revises version 1 and includes improvements in the areas of performance,
confidentiality, and manager-to-manager communications. It also supports plaintext
authentication. It offers more detailed error message reporting method, but it is not more
secure than v1. It uses UDP even though it can be configured to use TCP.
SNMPv3 primarily added security and remote configuration enhancements to SNMP.
Although SNMPv3 makes no changes to the protocol aside from the addition of
cryptographic security, it looks much different due to new textual conventions, concepts,
and terminology. SNMPv3 uses cryptography in 3 areas.
1.data integrity(md5 or sha1)
2.authentication(md5 or sha1)
3.privacy(DES,3DES,AES)
Model
Level
Authentication
Encryption
V1
NoAuthNopriv
Community string
None
V2c
NoAuthNoPriv
Community string
None
V2u
NoAuthNoPriv
Username
None
V3
NoAuthNoPriv
Username
None
V3
AuthNoPriv
MD5 or SHA
None
V3
AuthPriv
MD5 or SHA
DES,3DES,AES
An SNMP agent can also send unsolicited MIB information to the SNMP manager in
response to an event that has been defined as an SNMP trap (unexpected event). NMS
software might alert the engineer by various alert mechanisms like change in color code,
alarms, sending SMS or Email alert to the engineer. To be proactive, the software can also
be configured to alert engineer when a service or health check counter on a device
exceeds or goes below a certain limit. For example, it can be configured to alert when CPU
usage exceeds 80% or CPU temperature exceeds certain limit. Some traps are enabled
default and others have to be configured if you wish. We can configure to alert a trap for
syslog notifications.
Devices send trap messages with no acknowledgement that the NMS received the
message; using protocol terminology, these messages are considered unreliable. A later
version of the SNMP protocols (Version 3) supports an alternative process with inform
messages, which use an acknowledgement process, so they are called reliable.
When a trap is received from the agent. The administrator can troubleshoot the devices by
initiating GET, GET-NEXT, GET-BULK, SET. You can even reconfigure the device through
these SNMP variables in the MIB via SET messages if you permit this level of control. For
example, you can replace running/startup configuration , reboot the router and so on can
be done by SET message only if read write is configured in community.
When an SNMP manager sends a query or set request to the SNMP agent, the SNMP
service compares the community name of the requestor with the community name of the
agent and its access permissions. If the names match, the SNMP manager is successfully
authenticated, and the agent replies to the query or performs the set request. If the
community names do not match, the SNMP agent considers the request a failed access
attempt and if configured to do so can send an SNMP trap message notifying the trap
destination that an improper access has been attempted.
SNMPv2 Configuration
Just three steps to configure SNMP in cisco device.
1.configure communities.(required)
2.configure SNMP contact information.(optional)
3.configure SNMP location.(optional)
A community has following sub parameters.
1.string(required)
2.access mode:ro/rw(optional, ro is default)
3.ACL name or number(optional)
It is better to specify ro/rw based on your requirement, for some IOS ro is default and for
some rw is default. This I write based on my expereince in lab. for CCNA , we study only
this 3 sub parameters, actually there are more.
example configuration
Router#conf t
CHAPTER 2
NETFLOW
What is NetFlow?
NetFlow is a feature that was introduced on Cisco routers that provides the ability to collect
IP network traffic as it enters or exits an interface. NetFlow data is generated by network
devices like routers and firewalls. Flow data will generally contain details like source and
destination IP addresses, port numbers, protocols, and more. By analyzing the data
provided by NetFlow a network administrator can determine things such as the source and
destination of traffic, class of service, and the causes of congestion. The term NetFlow is
proprietary to Cisco, but other vendors have their own versions of Flow. For instance,
Juniper calls it J-Flow, and several vendors, including HP and Fortinet, use s-Flow.
Cisco routers/switching devices export NetFlow as UDP packets. Netflow v5 is the most
popular Netflow format, but it is not compatible with IPv6. Because of this, Netflow v5 is
slowly being replaced by Netflow v9, which supports IPv6. In addition, the IETF is working
on a new version of Netflow called IPFIX (sometimes referred to as Netflow v10). NetFlow
version 9 is the latest Cisco IOS NetFlow innovation.
When Cisco sought out to create NetFlow, they recognized two key criteria in its creation:
Achieving these design criteria ensured that NetFlow is very easy to implement in the most
complex of existing networks.
The analogy for NetFlow is a detailed phone bill. These phone records provide call-by-call
and aggregated statistics that enable the administrator (the person paying the bill) to track
long calls, frequent calls, or even calls that should not have been made at all. Netflow does
the similar thing it gives details of bandwidth usage.
Components of Netflow
A typical flow monitoring setup (using NetFlow) consists of three main components:
Flow exporter: aggregates packets into flows and exports flow records towards one or
more flow collectors.
Flow collector: responsible for reception, storage and pre-processing of flow data received
from a flow exporter.
Analysis application: analyzes received flow data in the context of intrusion detection or
traffic profiling, for example.
Here, Netflow is enabled in netflow exporter(router in the image). The Exporter monitors
packets entering an Observation Point and creates Flows from these packets. The
information from these Flows is exported in the form of Flow Records to the NetFlow
Collector. The analysing software would analysis the flow storage in netflow collector and
then make reports or graphs that are readable to network administrator.
What is an IP Flow?
An IP Flow, also called a Flow, is defined as a set of IP packets passing an Observation
Point in the network during a certain time interval. All packets that belong to a particular
Flow have a set of common properties derived from the data contained in the packet and
from the packet treatment at the Observation Point.
Each packet that is forwarded within a router or switch is examined for a set of IP packet
attributes. These attributes are the IP packet identity or fingerprint of the packet and
determine if the packet is unique or similar to other packets.
One ip flow will be created for all packets that match all 7 parameters and will be stored in
router like flow 1, flow 2, flow 3 ,.......
NetFlow version 5 (one of the most commonly used versions, followed by version 9)
contains the following:
NetFlow Version 9 includes these fields and more, including Multiprotocol Label Switching
(MPLS) labels and IPv6 addresses and ports.
After observing IP packets in an interface it will form IP flows . When time expires(or flow
expires or cache is full) it will create NetFlow records out of IP flows and the router will
send this NetFlow record to the collector.
Purposes of Netflow
While the potential uses of the statistics that NetFlow provides is quite vast, most
organizations use NetFlow for some or all of the following key purposes:
General network traffic accounting for baseline analysis
Usage-based network billing for consumers of network services
Network design, including redesigns to include new network devices and
applications to meet the needs of growing infrastructures
General network security design
Denial of service (DoS) and distributed DoS (DDoS) detection and prevention data
Ongoing network monitoring
Validate network QoS policies
Network traffic accounting
NetFlow data provides fine-grained metering (e.g. flow data includes details such as IP
addresses, packet and byte counts, timestamps, type-of-service and application ports,
etc.) for highly flexible and detailed resource utilization accounting. Service providers may
utilize this information to migrate away from single fee, flat rate billing to more flexible
charging mechanisms based on time-of-day, bandwidth usage, application usage, quality
of service, etc. Enterprise customers may utilize the information for departmental
chargeback or cost allocation for resource utilization.
Usage-based network billing
You can cross-check ISP charges with your own billing system available with the Billing
add-on. You can also associate bandwidth costs to each department in your organization
to help you plan well with allocated bandwidth budgets. The Billing add-on over the
NetFlow plug-in helps you to account your bandwidth by assigning costs to usage (volumebased) or bandwidth (speed-based).
Network design
NetFlow data provides key information to optimize both strategic network planning (e.g.
who to peer with, backbone upgrade planning, routing policy planning) as well as tactical
network engineering decisions (e.g. adding additional VIPs to routers, upgrading link
capacity) minimizing the total cost of network operations while maximizing network
performance, capacity and reliability.
General network security design
Every enterprise have their own model for network design. Normal tools for security are
firewalls, ACL, IPS, VPN, password authentication, antivirus, anitmalware etc..Most
enterprise follow layered approach for security design using these tools. NetFlow aids in
these designs by monitoring the bandwidth.
(one scenario)
A Network Engineer observes anomalous peaks in network load at the start of business
day. He views the traffic report and observes spikes in the traffic pattern. He suspects a
possible worm attack that has been known to be affecting computer networks elsewhere.
To confirm his suspicion he views the Troubleshoot report in the NetFlow Analyzer. He
finds unusually high traffic on port UDP 1434, which is characteristic of a SQL Slammer
Virus attack. Now, he can drill down to see the IP addresses from which this attack is
originating and also the list of IP addresses that are infected. He can now block the source
of this attack and then proceed to apply the appropriate patch on the infected Ips. NetFlow
Analyzer helps network managers to quickly identify the cause of attacks and take
immediate corrective action to contain any possible damage.
DoS, DDoS
A denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is an attempt to
make a machine or network resource unavailable to its intended users. One common
method of attack involves saturating the target machine with external communications
requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as
to be rendered essentially unavailable. In case of Denial-of-Service (DoS) attacks, the
NetFlow analyzer facilitates quick problem isolation and resolution to bring down your
Mean Time To Resolve.
Configuring NetFlow v9
These four factors must be completed to properly implement NetFlow on a router:
1.Configure NetFlow data capture by configuring ingress(incoming) and egress (outgoing)
packets on an interface.
2.Configure NetFlow data export by specifying the IP address of the NetFlow collector and
the UDP port the collector listens for in global configuration mode.
3.Configure NetFlow data export version by specifying the version of NetFlow in global
configuration mode.
4.Configure NetFlow data source interface by specifying a logical interface of the device in
global configuration mode.
Here is an example of confuring Netflow in a router
Router(config)#int fa0/0
Router(config-if)#ip flow ingress
Router(config-if)#ip flow egress
Router(config-if)#exit
Router(config)#ip flow-export destination 10.1.10.100 9996
Router(config)#ip flow-export version 9
Router(config)#ip flow-export source loopback 0
Note here that ip flow-export global command has 3 alternative parameters
Router(config)#ip flow-export ?
destination
source
version
Another thing to notice here is that source address is not the interface being monitored. It
is a logical interface like loopback 0 is used for this purpose.
Verification of ip flow
you can check the local NetFlow cache on a router directly, proving that the router is at
least collecting the data with the show ip cache flow command.
R1# show ip cache flow
you can see that 255 packets have been monitored by NetFlow. The bottom lines show
that the router is collecting flow for telnet and HTTP. You can see the source port and
destination in hex 44(68 in decimal) and 50(80 in decimal). You can also see source ip
address and destination IP address. It's important to remember that show ip cache flow
command provides a summary of NetFlow statistics, including which protocols are in use.
you can use the command show ip flow interface to verify that you have NetFlow
configured on the correct interfaces in the correct directions.
R1# show ip flow interface
FastEthernet0/0
ip flow ingress
ip flow egress
Then, to check the configuration of your export parameters, you can use the command
show ip flow export.
R1# show ip flow export
Flow export v9 is enabled for main cache
Export source and destination details :
VRF ID : Default
Source(1) 1.1.1.1 (Loopback0)
Destination(1) 10.1.10.100 (99)
Version 9 flow records
0 flows exported in 0 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation fail ures
0 export packets were dropped due to encapsulation fixup failures
CHAPTER 3
SYSLOG
Overview
It is amazing just how helpful Cisco devices try to be to their administrators.When major
(and even not-so-major) events take place, these Cisco devices attempt to notify
administrators with detailed system messages. As you learn in this section, these
messages vary from the very mundane to those that are incredibly important.Cisco devices
use a protocol called syslog which permits your various Cisco devices (and some other
non-Cisco devices) to send their system messages across the network to syslog servers.
You should note that you can even build a special out-of-band (OOB) network(use of a
dedicated channel for managing network devices ) for this purpose. There are many
different Syslog server software packages for Windows and UNIX. Many of them are even
freeware. For eg. Kiwi syslog server.
What is syslog?
Syslog is a standardized mechanism for logging in computer systems. In computing, a log
file is a file that records either the events which happen while an operating systems or
other software runs, or the personal messages between different users of a communication
software. The act of keeping a log is called logging. In the simplest case, log messages are
written to a single log file. Syslog is supported by a wide variety of devices (like printers
and routers) and receivers across multiple platforms. Because of this, syslog can be used
to integrate log data from many different types of systems into a central repository.
Syslog is a client/server protocol. A logging application transmits a text message to the
syslog receiver. The receiver is commonly called syslogd, syslog daemon or syslog server.
Syslog messages may be sent via the UDP or TCP. The data is sent in clear text.
The server can email of text alerts to admins based on severity level of the message.
Administrators can also use syslog server software to delete all of those system messages
from the database that are not important.
Emergency
System is unstable
Alert
Critical
Error
Warning
Notification
Debugging
Notice that levels 0 through 4 are for events that could seriously impact the device,
whereas levels 5 through 7 are for less important events. Obviously, an administrator can
consider this when deciding how to handle messages. For instance, the administrator
could choose to send only warning level (4) messages and lower (more severe) to the
syslog server, instead of cluttering the syslog server with messages for all eight levels.
I have made a mnemonics for this severity levels , EA CrEW have No ID yet.( Letters in
caps are severity levels.) A common mnemonic used to remember the syslog levels from
bottom to top is: "Do I Notice When Evenings Come Around Early".
When i practised multiple choice question from todd lammle book, i made mistakes even
after making mnemonic. Severity level starts with code 0 not 1. i started counting from 1
but it starts from zero.
Focus on the first two highlighted lines, which tell us something about the logging service.
The first line states that this router logs to the console and will include debug messages,
actually meaning debug level messages and all lower levels. The output also notes that ten
such messages have been logged.
The second highlighted line states that this router logs to an internal buffer. Because this
router has enabled logging to an internal buffer, the show logging command also lists the
messages in that buffer. You can see some of the system messages that have been
logged at the end of the example.
Configuring the router to send system messages to a syslog server where they can be
stored, filtered, and analyzed is a simple task:
Step 1. First, configure the destination hostname or IP address of the syslog server:
R1(config)# logging 192.168.1.101
Step 2. Next, you can control which messages are sent there. For example, to limit the
messages for levels 4 and lower (0 through 4), use the following command:
This document only tries to explain what is written in ccna study guides.I didnt discuss any
advanced topic on SNMP, NetFlow,syslog. Hope this will help in your studies.
Vipin viswanathan